op-ssh-sign

kbkbkb
kbkbkb
Community Member

Hello,

Can op-ssh-sign be open sourced?
This would be useful because just op-ssh-sign can then be ported to other architectures, and can work in symphony with 1pw on the desktop, via IdentityAgent on the desktop and any other machine over SSH.

Thoughts?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • While open sourcing op-ssh-sign would certainly be an interesting option, it's not likely to happen soon, unfortunately. But which other architectures are you thinking about?

    And for remote commit signing use cases (e.g. using agent forwarding), you can also use OpenSSH's ssh-keygen command, which works with 1Password if you set the SSH_AUTH_SOCK environment variable to the 1Password SSH socket. In fact, ssh -A already configures this automatically on the remote host.

  • kbkbkb
    kbkbkb
    Community Member
    edited June 2023

    Hi @floris_1P, the arch in question is s390x - IBM mainframe :)

    So, if I use IdentityAgent or SSH_AUTH_SOCK on my workstation's SSH config, then ssh-keygen on s390x will be able to use 1pw on the workstation to look up the keys?
    I already use IdentityAgent on the host with agent forwarding, so git push on s390x triggers the auth prompt on the host's 1pw.

    At the moment, newer OpenSSH that supports SSH for commit signing is not ready for zOS yet (https://github.com/zosopentools/opensshport). zOS is a mainframe operating system.

    EDIT: Is there any chance at all of using GPG signing workflow on s390x, but then it co-ordinates with GPG keys within 1pw, via the host's agent?

    In general, I'm looking to get as much of the cool stuff to support IBM Z as well.
    So, 1pw CLI for example, or op-ssh-sign supporting Z will be great.
    Perhaps a skimmed-down version of libs that are easy to port, but can work well with 1pw on the host.

  • If agent forwarding already works, then it should work too for commit signing if the git and ssh-keygen versions are recent enough.

    You do have to configure Git on the remote host too to use your SSH key for commit signing:

    git config --global gpg.format ssh
    git config --global user.signingkey 'ssh-ed25519 <your public key>'
    
  • kbkbkb
    kbkbkb
    Community Member

    Okay, thank you!

  • kbkbkb
    kbkbkb
    Community Member

    Writing back to confirm that this does work, thanks again!

  • kbkbkb
    kbkbkb
    Community Member

    Hi @floris_1P, a follow-up question...

    I see 1pw service accounts is now GA, and requires the availability of 1pw CLI on the host/server, to use with CI/CD. As mentioned above, I'm on a mainframe operating system called z/OS (arch s390x).

    Is 1pw the company interested in producing 1pw CLI builds for s390x, essentially entering the world of mainframes? If yes, we can work out SSH access to a zOS system through emails.

This discussion has been closed.